They don’t. It’s a fake User Agent String. I’ve 12 IP addresses in my logs that use this User Agent String, all from China, but none resolving to a hostname, and certainly not to domains baidu.cn or google.com.

And this fake spider doesn’t make any requests for existing documents, not even robots.txt. It’s only looking for ways to attack my sites:

Thursday 20 December 2012

ListModules is a new tool to analyze PE files, like my AnalyzePESig tool. In stead of analyzing all files you point it to, it takes a snapshot of all processes, and analyses the modules (.exe, .dll, …) loaded in these processes. The output is very similar to AnalyzePESig’s output.

Last week I submitted CPE points for listening to 6 months of PaulDotCom Security Weekly podcasts. This CPE points submission was promptly selected for an audit by (ISC)².

I received an e-mail that informed me about the audit process and asked me to provide more information about the points I submitted. I replied with a description of what the podcast was about and with an excerpt from my spreadsheet I keep. A few days later I received a reply to inform me that I passed the audit.

Tuesday 4 December 2012

It has a small explanation for each field found in the output of AnalyzePESig. For example, the fields Issuer Unique ID and Subject Unique ID should always be 0. In the case of the Flame certificate, they are not, because the Issuer Unique ID field was used to help produce the MD5 collision: